CVE-2021-40113
📋 TL;DR
Multiple vulnerabilities in Cisco Catalyst PON Series Switches ONT web management interface allow unauthenticated remote attackers to log in with default credentials, perform command injection, and modify configurations. This affects organizations using these switches with default or weak configurations. The CVSS 10.0 score indicates critical severity with maximum impact potential.
💻 Affected Systems
- Cisco Catalyst PON Series Switches Optical Network Terminal (ONT)
📦 What is this software?
Catalyst Pon Switch Cgp Ont 1p Firmware by Cisco
View all CVEs affecting Catalyst Pon Switch Cgp Ont 1p Firmware →
Catalyst Pon Switch Cgp Ont 4p Firmware by Cisco
View all CVEs affecting Catalyst Pon Switch Cgp Ont 4p Firmware →
Catalyst Pon Switch Cgp Ont 4pv Firmware by Cisco
View all CVEs affecting Catalyst Pon Switch Cgp Ont 4pv Firmware →
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of network infrastructure, unauthorized configuration changes, data exfiltration, and persistent backdoor access leading to network-wide disruption.
Likely Case
Unauthorized access to network devices, configuration tampering, service disruption, and potential lateral movement within the network.
If Mitigated
Limited impact with proper access controls, network segmentation, and updated credentials, though vulnerabilities remain present.
🎯 Exploit Status
Default credential exploitation requires minimal technical skill. Command injection may require more specific knowledge but is well-documented in advisory.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Refer to Cisco advisory for specific fixed versions
Vendor Advisory: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-catpon-multivulns-CE3DSYGr
Restart Required: Yes
Instructions:
1. Review Cisco advisory for affected models. 2. Download appropriate firmware updates from Cisco Software Center. 3. Backup current configuration. 4. Apply firmware update following Cisco documentation. 5. Verify update success and restore configuration if needed.
🔧 Temporary Workarounds
Disable Telnet Protocol
allPrevents default credential login via Telnet
no telnet enable
Change Default Credentials
allReplace factory default credentials with strong unique passwords
username admin password <strong_password>
Restrict Management Interface Access
allLimit web management interface to trusted networks only
access-list 10 permit <trusted_network>
ip http access-class 10
🧯 If You Can't Patch
- Implement strict network segmentation to isolate PON switches from untrusted networks
- Enable comprehensive logging and monitoring for unauthorized access attempts
🔍 How to Verify
Check if Vulnerable:
Check device firmware version against Cisco advisory. Verify if Telnet is enabled and default credentials are in use.Check Version:
show versionVerify Fix Applied:
Confirm firmware version is updated to patched release. Test that default credentials no longer work and command injection attempts are blocked.📡 Detection & Monitoring
Log Indicators:
- Failed authentication attempts from unknown IPs
- Successful logins with default credentials
- Configuration changes from unauthorized users
- Telnet connection attempts
Network Indicators:
- Unexpected traffic to/from PON management interfaces
- Telnet sessions to PON devices
- HTTP/HTTPS requests to management interface from unusual sources
SIEM Query:
source_ip="PON_management_IP" AND (event_type="authentication_failure" OR event_type="configuration_change")